openapi: 3.0.0 servers: - url: https://api.enterprise.apigee.com/v1 info: title: Keystores and truststores API description: >- Manage keystors and truststores. Keystores and truststores define repositories of security certificates used for TLS encryption. The main difference between the two is where they are used in the TLS handshaking process: * A keystore is maintained on the server hosting the TLS endpoint. It contains a TLS certificate and private key. When a client connects to the TLS endpoint on the server, the keystore presents the server's certificate (public cert) to the client. All servers hosting an TLS endpoint create a keystore for both one-way and two-way, or client, TLS. * A truststore contains trusted certificates stored on the client that are used when the client makes an outbound TLS connection to an TLS endpoint. The contents of the truststore are used to validate the identity of the server's certificate being presented to the client. A server typically creates a truststore when configuring two-way TLS. The server maintains its cert and private key in its keystore, and maintains the client's cert in its truststore. For more information, see Creating keystores and trustores using the Edge API. version: '1.0' security: - Basic: [] - OAuth: [] paths: "/organizations/{org_name}/environments/{env_name}/keystores": post: tags: ["Keystore", "Truststore"] summary: Create a keystore or truststore description: >- Creates a keystore or truststore in an environment. * **Keystore**: Contains the TLS certificate and private key used to identify the entity during TLS handshaking. * **Truststore**: Contains trusted certificates on an TLS client used to validate a TLS server's certificate presented to the client. These certificates are typically self-signed certificates or certificates that are not signed by a trusted CA. To configure functionality that relies on public key infrastructure (TLS and SAML, for example) you need to create keystores and truststores that provide the necessary keys and digital certificates. Keystores and truststores define repositories of security certificates used for TLS encryption. The APIs that you use to create a truststore are the same as used to create a keystore. The only difference is that you pass the cert file as a PEM file instead of a JAR file. Keystore names can contain only alphanumeric characters. For more information, see Creating keystores and trustores using the Edge API. operationId: 'createKeystoreTruststore' parameters: - $ref: '#/components/parameters/org_name' - $ref: '#/components/parameters/env_name' responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/KeystoreTrustore' example: aliases: [] certs: [] keys: [] name: MyTestKeystore '400': description: Bad request requestBody: content: application/json: schema: type: object properties: name: description: Name of the keystore or truststore. type: string get: tags: ["Keystore", "Truststore"] summary: List keystores and truststores description: >- Lists the keystores and truststores in the environment. In Edge, keystores and truststores are both represented by a keystore entity. That is, the contents of the keystore determine if it is used as an TLS keystore or truststore: * **keystore**: Keystore entity that contains one or more aliases, where each alias contains a cert/key pair. * **truststore**: Keystore entity that contains one or more aliases, where each alias contains a cert only. operationId: 'listKeystoresTruststores' parameters: - $ref: '#/components/parameters/org_name' - $ref: '#/components/parameters/env_name' responses: '200': description: OK content: application/json: schema: type: array items: type: string '400': description: Bad request "/organizations/{org_name}/environments/{env_name}/keystores/{keystore_name}": delete: tags: ["Keystore", "Truststore"] summary: Delete a keystore or truststore description: >- Deletes a keystore or truststore in an environment. operationId: 'deleteKeystoreTruststore' parameters: - $ref: '#/components/parameters/org_name' - $ref: '#/components/parameters/env_name' - $ref: '#/components/parameters/keystore_name' responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/KeystoreTrustore' example: aliases: [] certs: [] keys: [] name: MyTestKeystore '400': description: Bad request get: tags: ["Keystore", "Truststore"] summary: Get a keystore or truststore description: >- Gets a keystore or truststore in the environment, including the list of keys and certs. operationId: 'getKeystoreTruststore' parameters: - $ref: '#/components/parameters/org_name' - $ref: '#/components/parameters/env_name' - $ref: '#/components/parameters/keystore_name' responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/KeystoreTrustore' example: aliases: - aliasName: myTestAlias cert: myTestAlias-cert key: myTestAlias-key certs: - myTestAlias-cert keys: - myTestAlias name: MyTestKeystore '400': description: Bad request "/organizations/{org_name}/environments/{env_name}/keystores/{keystore_name}/aliases": post: tags: ["Keystore", "Truststore"] summary: Create an alias description: >- Creates a new alias in a keystore or trustore. The input certificate/key formats supported are PKCS12, JAR, certificate PEM file (for truststore), or self-signed certificate. **Note**: **Currently, you cannot create an alias using the Try this API panel**. **Deprecation Warning**: The `password` query parameter to this method has been deprecated for security reasons. If the private key requires a password, you must pass it as `multipart/form-data`. For example, if you are using curl, use the `-F` password option to specify the password: **Create an alias in a keystore from a JAR file** To use a JAR file to create the alias, it must include the certificate and private key files, and a `META-INF/descriptor.properties` file that contains the following information: ``` certFile= keyFile= ``` A keystore JAR can contain just those three files. If you have a certificate chain, all certs in the chain must be appended into a single PEM file, where the last certificate should be signed by a root CA. The certs must be appended to the PEM file in the correct order, with an empty line between each cert. Set the `format` query parameter to `keycertjar`. For example: ``` curl "https://api.enterprise.apigee.com/v1/o/{org_name}/e/{env_name}/keystores/{keystore_name}/aliases?alias={alias_name}&format=keycertjar" \ -X POST -H "Content-Type: multipart/form-data" \ -F file="@myKeystore.jar" \ -F password=key_pword \ -u orgAdminEmail:password ``` **Create an alias in a keystore from a PKCS file** To create an alias in a keystore from a PKCS file, set the `format` query parameter to `pkcs12`. For example: ``` curl "https://api.enterprise.apigee.com/v1/o/{org_name}/e/{env_name}/keystores/{keystore_name}/aliases?alias={alias_name}&format=pkcs12" \ -X POST -H "Content-Type: multipart/form-data" \ -F file="@myKeystore.pfx" \ -F password=key_pword \ -u orgAdminEmail:password ``` **Create an alias in a keystore from PEM files** To create an alias in a keystore from a PEM file, the certificate and key to be in separate PEM files, as `keyFile` and `certFile`, respectively. Set the `format` query parameter to `keycertfile`. For example: ``` curl "https://api.enterprise.apigee.com/v1/o/{org_name}/e/{env_name}/keystores/{keystore_name}/aliases?alias={alias_name}&format=keycertfile" \ -X POST \ -H "Content-Type: multipart/form-data" \ -F keyFile="@server.key" \ -F certFile="@signed.crt" \ -F password=key_pword \ -u orgAdminEmail:password ``` **Create a truststore** To create a truststore, create aliases from **certificates only** in PEM format and set the `format` query parameter to `keycertfile`. **Create an alias by generating a self-signed certificate** To creat an alias by generating a self-signed certificate, set the `format` query parameter to `selfsignedcert` and pass the contents of the self-signed certificate in the request body. See Creating keystores and truststores using the Edge API for more examples. operationId: 'createAlias' parameters: - $ref: '#/components/parameters/org_name' - $ref: '#/components/parameters/env_name' - $ref: '#/components/parameters/keystore_name' - $ref: '#/components/parameters/alias' - $ref: '#/components/parameters/format' - $ref: '#/components/parameters/ignoreExpiryValidation' - $ref: '#/components/parameters/ignoreNewlineValidation' responses: '201': description: Created content: application/json: schema: $ref: '#/components/schemas/Alias' '400': description: Bad request requestBody: content: multipart/form-data: schema: type: string format: binary description: >- Alias details, in one of the following formats: * JAR file containing key, certificate, and a descriptor file (if `format=keycertjar`), or pfx/p12 file (if `format=pkcs12`). * Two PEM files, `keyFile` and `certFile`, containing the private key and certificate, respectively. * Single PEM file, `certFile`, containing the certificate in PEM format. application/json: schema: $ref: '#/components/schemas/SelfSignedCertificate' get: tags: ["Keystore", "Truststore"] summary: List aliases description: Lists aliases in the keystore. operationId: 'listAliases' parameters: - $ref: '#/components/parameters/org_name' - $ref: '#/components/parameters/env_name' - $ref: '#/components/parameters/keystore_name' responses: '200': description: OK content: application/json: schema: type: array items: type: string '400': description: Bad request "/organizations/{org_name}/environments/{env_name}/keystores/{keystore_name}/aliases/{alias_name}": put: tags: ["Keystore", "Truststore"] summary: Update the certificate in an alias description: >- Updates the certificate in the alias. The certificate must be a PEM file with a maximum size of 50 KB. **Note**: Do not use this API to update an existing deployed certificate. If you do, you must contact Apigee Support to restart the Routers and Message Processors. operationId: 'updateCertificateAlias' parameters: - $ref: '#/components/parameters/org_name' - $ref: '#/components/parameters/env_name' - $ref: '#/components/parameters/keystore_name' - $ref: '#/components/parameters/alias_name' - $ref: '#/components/parameters/ignoreExpiryValidation' responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/Alias' '400': description: Bad request requestBody: description: >- Certificate file in PEM format. content: multipart/form-data: schema: type: string format: binary delete: tags: ["Keystore", "Truststore"] summary: Delete an alias description: >- Deletes an alias and the associated cert and key. **Note**: If you delete an alias, and it is currently being used by a virtual host or target endpoint, then any API calls through the virtual host or target endpoint will fail. operationId: 'deleteAlias' parameters: - $ref: '#/components/parameters/org_name' - $ref: '#/components/parameters/env_name' - $ref: '#/components/parameters/keystore_name' - $ref: '#/components/parameters/alias_name' responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/Alias' '400': description: Bad request get: tags: ["Keystore", "Truststore"] summary: Get alias description: >- Gets details about an alias, including information about the certificate and key associated with the alias. operationId: 'getAlias' parameters: - $ref: '#/components/parameters/org_name' - $ref: '#/components/parameters/env_name' - $ref: '#/components/parameters/keystore_name' - $ref: '#/components/parameters/alias_name' responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/Alias' '400': description: Bad request "/organizations/{org_name}/environments/{env_name}/keystores/{keystore_name}/aliases/{alias_name}/certificate": get: tags: ["Keystore", "Truststore"] summary: Export a certificate for an alias description: >- Exports a certificate or certificate chain for the specified alias in a keystore. The certificate is displayed in the following form: ``` -----BEGIN CERTIFICATE----- MIIDgTCCAuqgAwIBAgIJANjlQa0bGWn2MA0GCSqGSIb3DQEBCwUAMIGIMQswCQYD VQQGEwJVUzEWMBQGA1UECe563653657567ZXR0czEUMBIGA1UEBxMLTm9ydGhh bXB0b24xDDAKBgNVBAoTA1NNRzEMMAoGA1UECxMDRG9jMQwwCgYDVQQDEwNTTUcx ITAfBgkqhkiG9w0BCQEWEnNnaWxzb25AYXBpZ2VlLmNvbTAeFw0xNDExMDYyMDAy NTNaFw0yNDExMDUyMDAyNTNaMIGIMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFz c2FjaHVzZXR0879870394753944353452345235Htc+9i/mrTSh/lbZFMmW0EYzTgSvnJ0DF+bWuaC yfaqd31HMbr7DVFJAji1CI8Ggmvu8gA0lnkCAwEAAaOB8DCB7TAdBgNVHQ4EFgQU HEXLx5XxwdLiX9+XYl9OGv19hPQwgb0GA1UdIwSBtTCBsoAUHEXLx5XxwdLiX9+X Yl9OGv19hPShgY6cjhdfjhsdfjhlkjsdfMTA1NNRzEhMB8GCSqGSIb3DQEJARYSc2dpbHNvbkBh cGlnZWUuY29tggkA2OVBrRsZafYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsF AAOBgQAYHdIdgfCz3ed1aoDCepPKwrYC6MhmzNYH4rPy0QR3UwKGom7VM0ifWlCr uxtg7lPF/nA5du2oGjizrtsjFTJ/DE5uV3XdnLHcsdxrJ1AmfNgH8xBqkJGlNv8/ aPTO/HQqsxi6WSuog1sC1w3VMQS2seUKLOVgkKDmsmcHc3AbXg== -----END CERTIFICATE----- ``` If you copy the certificate to a file, from `-----BEGIN CERTIFICATE` through `END CERTIFICATE-----`, you can use the following command to obtain the public key: `openssl x509 -pubkey -noout -in fNAME` This command displays the key in the following form: ``` -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNsdfgsdfgQCs90FmfufNs1yIup5B2mdFFcKS acW71GeMNVaPBsgsdfgsdfgHjF2BcDT+6FO2FYLJfZXI0lcv5afDdKq+apalG4 iicdvimUe1z72L+sdfgsdfsdfgLJ9qp3fUcxuvsNUUkC OLUIjwaCa+sdfsdfsdADSWeQIDAQAB -----END PUBLIC KEY----- ``` operationId: 'exportCertificateAlias' parameters: - $ref: '#/components/parameters/org_name' - $ref: '#/components/parameters/env_name' - $ref: '#/components/parameters/keystore_name' - $ref: '#/components/parameters/alias_name' responses: '200': description: OK '400': description: Bad request "/organizations/{org_name}/environments/{env_name}/keystores/{keystore_name}/aliases/{alias_name}/csr": get: tags: ["Keystore", "Truststore"] summary: Generate a CSR for an alias description: >- Generate a Certificate Signing Request (CSR) based on the private key for the specified alias. Use this API if you have an expired cert and want to renew it. Download the CSR and then send it to your CA. For example: ``` -----BEGIN CERTIFICATE----- MIIDgTCCAuqgAwIBAgIJANjlQa0bGWn2MA0GCSqGSIb3DQEBCwUAMIGIMQswCQYD VQQGEwJVUzEWMBQGA1UECe563653657567ZXR0czEUMBIGA1UEBxMLTm9ydGhh bXB0b24xDDAKBgNVBAoTA1NNRzEMMAoGA1UECxMDRG9jMQwwCgYDVQQDEwNTTUcx ITAfBgkqhkiG9w0BCQEWEnNnaWxzb25AYXBpZ2VlLmNvbTAeFw0xNDExMDYyMDAy NTNaFw0yNDExMDUyMDAyNTNaMIGIMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFz c2FjaHVzZXR0879870394753944353452345235Htc+9i/mrTSh/lbZFMmW0EYzTgSvnJ0DF+bWuaC yfaqd31HMbr7DVFJAji1CI8Ggmvu8gA0lnkCAwEAAaOB8DCB7TAdBgNVHQ4EFgQU HEXLx5XxwdLiX9+XYl9OGv19hPQwgb0GA1UdIwSBtTCBsoAUHEXLx5XxwdLiX9+X Yl9OGv19hPShgY6cjhdfjhsdfjhlkjsdfMTA1NNRzEhMB8GCSqGSIb3DQEJARYSc2dpbHNvbkBh cGlnZWUuY29tggkA2OVBrRsZafYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsF AAOBgQAYHdIdgfCz3ed1aoDCepPKwrYC6MhmzNYH4rPy0QR3UwKGom7VM0ifWlCr uxtg7lPF/nA5du2oGjizrtsjFTJ/DE5uV3XdnLHcsdxrJ1AmfNgH8xBqkJGlNv8/ aPTO/HQqsxi6WSuog1sC1w3VMQS2seUKLOVgkKDmsmcHc3AbXg== -----END CERTIFICATE----- ``` operationId: 'generateCSRAlias' parameters: - $ref: '#/components/parameters/org_name' - $ref: '#/components/parameters/env_name' - $ref: '#/components/parameters/keystore_name' - $ref: '#/components/parameters/alias_name' responses: '200': description: OK '400': description: Bad request "/organizations/{org_name}/environments/{env_name}/keystores/{keystore_name}/certs": get: tags: ["Keystore", "Truststore"] summary: Lists certificates for a keystore or truststore description: Lists certificates for a keystore or truststore. operationId: 'getCertsKeystoreTruststore' parameters: - $ref: '#/components/parameters/org_name' - $ref: '#/components/parameters/env_name' - $ref: '#/components/parameters/keystore_name' responses: '200': description: OK content: application/json: schema: type: array items: type: string '400': description: Bad request post: tags: ["Keystore", "Truststore"] summary: Upload a certificate to a truststore description: >- Uploads a certificate to a truststore in an environment. If the cert is part of a chain, then the truststore must contain all certs in the chain, either as individual PEM or DER files or as a single file. If you use a single file, then the certs must be in order where the first cert in the file is the certificate used for TLS followed by the chain of certs, in order, to the CA certificate. The final certificate is typically signed by the certificate issuer. For example, in the truststore, you upload a client certificate, `client_cert_1`, and the client certificate issuer's certificate, `ca_cert`. This API validates the following: * File size is no larger than 50KB. * Certificate is of type PEM or DER. * Certificate is not expired. To bypass this validation, set `ignoreExpiryValidation=true`. operationId: 'uploadCertTruststore' parameters: - $ref: '#/components/parameters/org_name' - $ref: '#/components/parameters/env_name' - $ref: '#/components/parameters/keystore_name' - $ref: '#/components/parameters/alias' - $ref: '#/components/parameters/ignoreExpiryValidation' - $ref: '#/components/parameters/ignoreNewlineValidation' responses: '204': description: No Content '400': description: Bad request "/organizations/{org_name}/environments/{env_name}/keystores/{keystore_name}/certs/{cert_name}": delete: tags: ["Keystore", "Truststore"] summary: Delete cert from a keystore or truststore description: >- Deletes a cert from a keystore or truststore. To view the list of cert aliases in a keystore or truststore, see Get cert details from a keystore or truststore. **Note**: If the cert is part of a cert chain, deleting it could cause TLS handshaking to fail. operationId: 'deleteCertKeystoreTruststore' parameters: - $ref: '#/components/parameters/org_name' - $ref: '#/components/parameters/env_name' - $ref: '#/components/parameters/keystore_name' - $ref: '#/components/parameters/cert_name' responses: '200': description: OK '400': description: Bad request get: tags: ["Keystore", "Truststore"] summary: Get cert details from a keystore or truststore description: Gets cert details from a keystore or truststore. operationId: 'getCertKeystoreTruststore' parameters: - $ref: '#/components/parameters/org_name' - $ref: '#/components/parameters/env_name' - $ref: '#/components/parameters/keystore_name' - $ref: '#/components/parameters/cert_name' responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/Certificate' example: certInfo: - basicConstraints: 'CA:FALSE' expiryDate: 1470268707000 isValid: 'No' issuer: 'EMAILADDRESS=test@test.com, CN=api-ssl.example.com, OU=E2E, O=Apigee, L=San Jose, ST=CA, C=US' publicKey: 'RSA Public Key, 2048 bits' serialNumber: '00:92:85:f7:e5:3b:c5:30:26' sigAlgName: SHA1withRSA subject: 'EMAILADDRESS=test@test.com, CN=api-ssl.example.com, OU=E2E, O=Apigee, L=San Jose, ST=CA, C=US' subjectAlternativeNames: [] validFrom: 1438732707000 version: 1 certName: myTestAlias-cert '400': description: Bad request "/organizations/{org_name}/environments/{env_name}/keystores/{keystore_name}/certs/{cert_name}/export": get: tags: ["Keystore", "Truststore"] summary: Export a certificate from a keystore or truststore description: >- Exports a certificate. The certificate is displayed in the following form: ``` -----BEGIN CERTIFICATE----- MIIDgTCCAuqgAwIBAgIJANjlQa0bGWn2MA0GCSqGSIb3DQEBCwUAMIGIMQswCQYD VQQGEwJVUzEWMBQGA1UECe563653657567ZXR0czEUMBIGA1UEBxMLTm9ydGhh bXB0b24xDDAKBgNVBAoTA1NNRzEMMAoGA1UECxMDRG9jMQwwCgYDVQQDEwNTTUcx ITAfBgkqhkiG9w0BCQEWEnNnaWxzb25AYXBpZ2VlLmNvbTAeFw0xNDExMDYyMDAy NTNaFw0yNDExMDUyMDAyNTNaMIGIMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFz c2FjaHVzZXR0879870394753944353452345235Htc+9i/mrTSh/lbZFMmW0EYzTgSvnJ0DF+bWuaC yfaqd31HMbr7DVFJAji1CI8Ggmvu8gA0lnkCAwEAAaOB8DCB7TAdBgNVHQ4EFgQU HEXLx5XxwdLiX9+XYl9OGv19hPQwgb0GA1UdIwSBtTCBsoAUHEXLx5XxwdLiX9+X Yl9OGv19hPShgY6cjhdfjhsdfjhlkjsdfMTA1NNRzEhMB8GCSqGSIb3DQEJARYSc2dpbHNvbkBh cGlnZWUuY29tggkA2OVBrRsZafYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsF AAOBgQAYHdIdgfCz3ed1aoDCepPKwrYC6MhmzNYH4rPy0QR3UwKGom7VM0ifWlCr uxtg7lPF/nA5du2oGjizrtsjFTJ/DE5uV3XdnLHcsdxrJ1AmfNgH8xBqkJGlNv8/ aPTO/HQqsxi6WSuog1sC1w3VMQS2seUKLOVgkKDmsmcHc3AbXg== -----END CERTIFICATE----- ``` If you copy the certificate to a file, from `-----BEGIN CERTIFICATE` through `END CERTIFICATE-----`, you can use the following command to obtain the public key: `openssl x509 -pubkey -noout -in fNAME` This command displays the key in the following form: ``` -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNsdfgsdfgQCs90FmfufNs1yIup5B2mdFFcKS acW71GeMNVaPBsgsdfgsdfgHjF2BcDT+6FO2FYLJfZXI0lcv5afDdKq+apalG4 iicdvimUe1z72L+sdfgsdfsdfgLJ9qp3fUcxuvsNUUkC OLUIjwaCa+sdfsdfsdADSWeQIDAQAB -----END PUBLIC KEY----- ``` operationId: 'exportCertKeystoreTruststore' parameters: - $ref: '#/components/parameters/org_name' - $ref: '#/components/parameters/env_name' - $ref: '#/components/parameters/keystore_name' - $ref: '#/components/parameters/cert_name' responses: '200': description: OK '400': description: Bad request "/organizations/{org_name}/environments/{env_name}/keystores/{keystore_name}/keys": post: tags: ["Keystore", "Truststore"] summary: Upload a JAR file to a keystore description: >- After you've created a keystore in an environment, you can use this API to upload your JAR files that contain a cert and private key. This API validates the following: * File size is no larger than 50KB. * Certificate is of type PEM or DER. * Certificate is not expired. To bypass this validation, set `ignoreExpiryValidation=true`. **Deprecation Warning**: The `password` query paramater to this method has been deprecated for security reasons. If the private key requires a password, you must pass it as `multipart/form-data`. For example, if you are using cURL, use the `-F` password option to specify the password: ``` curl "https://api.enterprise.apigee.com/v1/o/{org_name}/environments/{env_name}/keystores/{myKeystore}/keys?alias={key_alias}" \ -X POST \ -H "Content-Type: multipart/form-data" \ -F file="@myKeystore.jar" \ -F password=key_pword \ -u email:password ``` See Create keystores and truststores for the Private Cloud version 4.17.09 and earlier for more examples. operationId: 'uploadJARKeystore' parameters: - $ref: '#/components/parameters/org_name' - $ref: '#/components/parameters/env_name' - $ref: '#/components/parameters/keystore_name' - $ref: '#/components/parameters/alias' - $ref: '#/components/parameters/ignoreExpiryValidation' - $ref: '#/components/parameters/ignoreNewlineValidation' responses: '204': description: No Content '400': description: Bad request requestBody: description: >- JAR file containing the cert and private key. content: multipart/form-data: schema: type: string format: binary "/organizations/{org_name}/environments/{env_name}/testssl": post: tags: ["Keystore", "Truststore"] summary: Test a keystore or truststore description: >- Tests your truststore and keystore in the Edge UI to verify that they are configured properly. The test API validates a TLS request from Edge to a backend service. The backend service can be configured to support one-way or two-way TLS. operationId: 'testKeystoreTruststore' parameters: - $ref: '#/components/parameters/org_name' - $ref: '#/components/parameters/env_name' responses: '200': description: OK '400': description: Bad request requestBody: description: >- Test details. content: application/json: schema: $ref: '#/components/schemas/TestTLS' components: securitySchemes: Basic: type: http scheme: basic description: >- Multi-factor authentication is not supported. OAuth: type: apiKey name: Authorization in: header description: >- For OAuth, enter the following in the Key field: Bearer %your-token% (see https://docs.apigee.com/api-platform/system-administration/using-oauth2#get-the-tokens) parameters: org_name: in: path name: org_name required: true schema: type: string description: Organization name. env_name: in: path name: env_name required: true schema: type: string description: Environment name. keystore_name: in: path name: keystore_name required: true schema: type: string description: Keystore or trustore name. cert_name: in: path name: cert_name required: true schema: type: string description: Certificate name. Use the certificate alias, if available. alias_name: in: path name: alias_name required: true schema: type: string description: Alias name. count: in: query name: count required: false schema: type: integer description: >- **Apigee Edge for Public Cloud only**. Number of API products to return in the API call. The limit is 1000. Required if you specify `startKey`. expand: in: query name: expand required: false schema: type: boolean description: Flag that specifies whether to view expanded details about each API product. Set to `true` to view expanded details. startKey: in: query name: startKey required: false schema: type: string description: >- **Apigee Edge for Public Cloud only**. Name of an API product from which to start displaying the list of API products. For example, if you're returning 50 API products at a time (using the count query parameter), you can view products 50-99 by entering the name of the 50th API product. The API product name is case sensitive. alias: in: query name: alias required: false schema: type: string description: Alias name. Not required for self-signed certificates. format: in: query name: format required: true schema: type: string description: >- Type of alias creation. Valid values include: `keycertjar`, `pkcs12`, `keycertfile`, and `selfsignedcert`. ignoreExpiryValidation: in: query name: ignoreExpiryValidation required: false schema: type: string description: >- Flag that specifies whether to validate that the certificate hasn't expired. Set this value to true to skip validation. Defaults to `false`. ignoreNewlineValidation: in: query name: ignoreNewlineValidation required: false schema: type: string description: >- If false, do not throw an error when the file contains a chain with no newline between each cert. By default, Edge requires a newline between each cert in a chain. Defaults to `true`. schemas: KeystoreTrustore: description: Keystore or trustore details. type: object properties: aliases: type: array description: List of associated aliases. items: type: object properties: aliasName: type: string description: Name of the alias. cert: type: string description: Name of the cert. key: type: string description: Name of the key. certs: type: array description: List of associated certs. items: type: string keys: type: array description: List of associated keys. items: type: string name: type: string description: Name of keystore or trustore. Alias: description: Alias details. type: object properties: alias: type: string description: Alias name. certsInfo: type: object description: List of associated certs. properties: certInfo: type: array items: type: object properties: basicConstraints: type: string description: Basic constraints. expiryDate: type: string description: Expiration date in milliseconds since epoch. isValid: type: string description: Flag that specifies whether the certificate is valid. issuer: type: string description: Cert issuer details. publicKey: type: string description: Public key details. serialNumber: type: string description: Serial number of the certificate. sigAlgName: type: string description: Name of the ignature algorithm, such as `SHA1withRSA`. subject: type: string description: Subject details. subjectAlternativeNames: type: array description: Alternative names for subject. items: type: string validFrom: type: string description: Date from which the certificate is valid in milliseconds since epoch. version: type: integer description: Version number. certName: type: string description: Name of the certificate. keyName: type: string description: Name of the key. Certificate: description: Certificate details. type: object properties: certInfo: type: array items: type: object properties: basicConstraints: type: string description: Constraints. expiryDate: type: string description: Expiration date in milliseconds since epoch. isValid: type: string description: Flag that specifies whether the certificate is valid. issuer: type: string description: Cert issuer details. publicKey: type: string description: Public key details. serialNumber: type: string description: Serial number of the certificate. sigAlgName: type: string description: Name of the ignature algorithm, such as `SHA1withRSA`. subject: type: string description: Subject details. subjectAlternativeNames: type: array description: Alternative names for subject. items: type: string validFrom: type: string description: Date from which the certificate is valid in milliseconds since epoch. version: type: integer description: Version number. certName: type: string description: Name of the certificate. TestTLS: description: Test TLS details. type: object properties: host: type: string description: TLS host name. port: type: string description: TLS port numbeer. connectionTimeout: type: string description: TLS connection timeout, in milliseconds. Defaults to 3000. targetEndpointConfiguration: type: object description: TargetEndpoint configuration. properties: ciphers: description: List of TLS ciphers to whitelist. type: array items: type: string clientAuthEnabled: type: boolean description: >- Set to `true` to enable two-way (or client) TLS between Edge (as a client making the request) and the target (as a server). Defaults to `false`. keyAlias: description: Alias specified when you uploaded the JAR file containing the cert and private key to the keystore. type: string keyStore: description: Name of the keystore on Edge. type: string protocols: description: >- TLS protocol, such as `SSLv3`, `TLSv1`, `TLSv1.1`, or `TLSv1.2`. If no protocols are specified, then all protocols available will be permitted. type: array items: type: string trustStore: description: Name of the truststore on Edge that contains the certificate or certificate chain used for two-way TLS. type: string SelfSignedCertificate: description: Self-signed certificate details. type: object required: - alias - commonName properties: alias: type: string description: Alias name. Maximum length is 128 characters. keySize: type: string description: Key size. Default and maximum value is 2048 bits. default: 2048 sigAlg: type: string description: Signature algorithm to generate private key. Valid values are `SHA512withRSA`, `SHA384withRSA`, and `SHA256withRSA` (default). default: SHA256withRSA subject: type: object description: Subject details. properties: countryCode: type: string description: Two-letter country code. Example, IN for India, US for United States of America. state: type: string description: State or district name. Maximum length is 128 characters. locality: type: string description: City or town name. Maximum length is 128 characters. org: type: string description: Organization name. Maximum length is 64 characters. orgUnit: type: string description: Organization team name. Maximum length is 64 characters. commonName: type: string description: >- Common name of the organization. Maximum length is 64 characters. email: type: string description: Email address. Max 255 characters. subjectAlternativeDNSNames: type: object description: List of alternative host names. Maximum length is 255 characters for each value. properties: subjectAlternativeName: type: array items: type: string certValidityInDays: type: string description: Validity duration of certificate, in days. Accepts positive non-zero value. Defaults to 365. default: 365